You are not logged in.
- Topics: Active | Unanswered
Pages: 1
#1 2017-10-09 19:40:55
- svanberg
- Member
- Registered: 2009-07-16
- Posts: 88
A few thoughts about encrypted systems
Hello,
I have successfully installed LVM on LUKS with encrypted boot partition disk layout, but I have a couple of questions, that I would like to discuss.
1. I read somewhere that GRUB 2 is only capable to use US keyboard layout during unlocking of the encrypted boot partition. Is this true?
2. I have activated automatically unlocking of the root partition (after I have manually unlocked the boot partition) by placing a keyfile in initramfs. Is this approach consider safe?
3. Do I really need to encrypt the boot partition and what security drawbacks does this imply (old article, but this person successfully accessed a encrypted file system by manipulate the source code - https://twopointfouristan.wordpress.com … ncryption/)
Last edited by svanberg (2017-10-09 19:43:54)
Offline
#2 2017-10-09 20:10:28
- progandy
- Member
- Registered: 2012-05-17
- Posts: 5,190
Re: A few thoughts about encrypted systems
1. I read somewhere that GRUB 2 is only capable to use US keyboard layout during unlocking of the encrypted boot partition. Is this true?
How should grub load your keyboard layout if it is encrypted? You could add a second key for the US keyboard layout that uses the same key presses, though
https://unix.stackexchange.com/question … 657#174657
To 2 and 3, if you include the keyfile, then you have to encrypt the boot partition or your security is nonexistent.
| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |
Offline
#3 2017-10-10 20:04:56
- svanberg
- Member
- Registered: 2009-07-16
- Posts: 88
Re: A few thoughts about encrypted systems
1. I read somewhere that GRUB 2 is only capable to use US keyboard layout during unlocking of the encrypted boot partition. Is this true?
How should grub load your keyboard layout if it is encrypted? You could add a second key for the US keyboard layout that uses the same key presses, though
https://unix.stackexchange.com/question … 657#174657
That is just so simple and brilliant at the same time. Thanks so much for the tip!
To 2 and 3, if you include the keyfile, then you have to encrypt the boot partition or your security is nonexistent.
Of course! But using encrypted boot partition with the keyfile embedded in initramfs to unlock root partition, should be consider safe, right?
As for question 3, how (un)secure is it to only have the root or home partition encrypted (without any keyfile embedded in initramfs)?
Offline
#4 2017-10-20 17:16:31
- nesk
- Member
- Registered: 2011-03-31
- Posts: 181
Re: A few thoughts about encrypted systems
2. I have activated automatically unlocking of the root partition (after I have manually unlocked the boot partition) by placing a keyfile in initramfs. Is this approach consider safe?
What method do you use for unlocking /boot partition?
Offline
#5 2017-10-22 19:32:11
- cfr
- Member
- From: Cymru
- Registered: 2011-11-27
- Posts: 7,132
Re: A few thoughts about encrypted systems
As for question 3, how (un)secure is it to only have the root or home partition encrypted (without any keyfile embedded in initramfs)?
I don't think there is a general answer to this: it depends on what security concerns and needs you have. What are you worried about? That is, what are you trying to protect against? I use an unencrypted EFI partition as boot. The rest of the disk is a LUKS partition. But there are things I'm not protecting against: I'm not bothered if somebody can easily tell what OS I run, for example, or that most of the disk is an encrypted LUKS partition. I'm not bothered if somebody can figure out which file system I use, and so on. I just don't want somebody to be able to read my data.
Nor am I protecting against somebody with physical access to my machine installing software to steal my keys etc. I assume that if somebody other than me has physical access, they are either more-or-less trusted or someone who's stolen my laptop. In the latter case, key loggers are not a concern - what matters is that my data not be readable. (Most likely the machine is asleep, but I'm guessing somebody would probably restart it when unable to unlock the session, relocking the encrypted container.)
That is, I have a reasonable sense of what I am and am not protecting against, the limitations of that protection etc. If I was in Edward Snowden's position, I would proceed differently, for sure. But I'm not, so I don't.
How secure is ...? How unsecure is ...?
How long is a piece of string?
Well, how big a parcel do you need to wrap and are you aware that Royal Mail no longer accept packages tied with string?
Last edited by cfr (2017-10-22 19:33:55)
CLI Paste | How To Ask Questions
Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L
Offline
#6 2017-11-10 21:07:44
- RickDeckard
- Member
- From: Acworth, Georgia, USA
- Registered: 2016-02-19
- Posts: 59
Re: A few thoughts about encrypted systems
I don't know if it'll help you, but you can also try keeping your boot files on a USB drive and removing the /boot partition from the proper HDD entirely so its beginning can be used by maybe your system LVM on /dev/(s,h)da1. That's what I've done for both my newer computers and the older ones that can't see GPT. Haven't had any problems yet.
Last edited by RickDeckard (2017-11-10 21:09:14)
Offline
#7 2017-11-11 00:38:07
- rdeckard
- Wiki Maintainer
- Registered: 2015-01-28
- Posts: 137
Re: A few thoughts about encrypted systems
3. Do I really need to encrypt the boot partition and what security drawbacks does this imply (old article, but this person successfully accessed a encrypted file system by manipulate the source code - https://twopointfouristan.wordpress.com … ncryption/)
Whether or not you encrypt /boot partition won't mitigate the type of attack described in that article. Even if your /boot partition is encrypted there is still a small portion of the system that is unencrypted (GRUB's BIOS boot partition, which is NOT the same as /boot, among other things). So yes, someone could steal your laptop, load malware into the unencrypted part of the drive to make it look like GRUB, and log your passphrase somewhere on the system. Then that person could steal your laptop back and decrypt with the logged passphrase.
The article suggests that one way to mitigate the issue is to put GRUB on a USB drive, but the same issue is there. Now someone has to steal your USB drive and swap it out instead of the laptop.
Offline
#8 2017-11-11 07:13:14
- RickDeckard
- Member
- From: Acworth, Georgia, USA
- Registered: 2016-02-19
- Posts: 59
Re: A few thoughts about encrypted systems
Now someone has to steal your USB drive and swap it out instead of the laptop.
That understood, I do believe it to be much easier to keep a USB drive on yourself at all times than it is to keep a laptop. Unless laptops become pocket-size.
Offline
Pages: 1